High RAM Usage with Concurrent Logging Mode in ModSecurity

[SonNgo2211]

Description

I am experiencing an issue where my application consumes a high amount of RAM when using the Concurrent Logging mode in ModSecurity. The memory usage increases gradually over time and does not decrease, even after periods of low activity, until I cleaned the logs.

Environment

• ModSecurity Version: 3.0.13
• Web Server: Nginx 1.27.1
• Application Details: a PHP-based web app
• Concurrent Logging Configuration:
  SecAuditLogType Concurrent
  SecAuditLogStorageDir /var/log/modsec/audit

Steps to Reproduce

1. Enable Concurrent Logging mode in ModSecurity configuration.
2. Run the application under normal traffic.
3. Monitor RAM usage over time (e.g., using top or htop or metric Grafana).
4. Observe that RAM usage increases continuously without dropping.
5. Clear the log in /var/log/modsec directory and watch the RAM decrease.

Expected Behavior

• RAM usage should remain stable or decrease during low traffic periods.

Actual Behavior

• RAM usage increases gradually and does not decrease, leading to potential memory exhaustion.

Additional Information

Ram increased from 300MiB to 4GiB in almost 30 days on nginx:

Ram usage reduced after cleaning up logs:

Request

I would appreciate any insights or solutions to mitigate this memory consumption issue. Is there a recommended configuration for Concurrent Logging to prevent memory leaks, or is this a bug?

Thank you for your help!

[airween]

Hi @SonNgo2211,

thanks for reporting.

I would appreciate any insights or solutions to mitigate this memory consumption issue. Is there a recommended configuration for Concurrent Logging to prevent memory leaks, or is this a bug?

Unfortunately there is no any "recommended" configuration. I think this is a bug.

To investigate the issue, could you share your relevant config (including vhost's config - only the ModSec related parts).

[SonNgo2211]

Hi @airween, thank you for looking into this issue.To provide more context, I would like to share my HTTP and vhost configurations below. However, I suspect that the issue might not be directly related to these configurations but maybe something in Modsecurity is caching log data in RAM.

HTTP Configuration

Here is my current HTTP configuration (relevant parts):

worker_processes  auto;
worker_rlimit_nofile 100000;
pid        /var/lib/nginx/nginx.pid;

load_module modules/ngx_http_js_module.so;
events {
    worker_connections  2048;
}
http {
    include      /etc/nginx/mime.types;
    default_type  application/octet-stream;
    map_hash_max_size 2048;
    map_hash_bucket_size 256;
    
    client_max_body_size 30M; 
    large_client_header_buffers 4 16k; 
    modsecurity_rules_file /etc/modsecurity/config/include.conf;
    modsecurity_transaction_id "$request_id";
    open_file_cache max=200000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;
    gzip on;
    gzip_min_length 10240;
    gzip_vary on;
    ....
}

Virtual Host Configuration

Here is my vhost configuration:

server {
    listen 80;
    listen [::]:80;
    server_name ashop.com.net;

    listen 443 ssl;
    listen [::]:443 ssl;

    gzip  on; 
    client_body_buffer_size 64k;

    modsecurity on;
    location = /access.html {
      root /usr/share/nginx/html;
      internal;
      set $requestID $request_id;
    }

    location / {
        set $default_connection_header close;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
        client_max_body_size 30m;

        proxy_buffering on;
        proxy_buffers 8 16k;
        proxy_buffer_size 16k;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $vs_connection_header;
        proxy_pass_request_headers on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host "$host";
        proxy_pass http://ashop-upstream/;
        proxy_next_upstream error timeout;
        proxy_next_upstream_timeout 0s;
        proxy_next_upstream_tries 0;
    }
    ....
}

I’m happy to provide additional details if needed. Looking forward to your feedback!